Organizations Need the Right Technologies and Talent in Place to Ensure a Secure Transition to the Cloud
In my previous column, I wrote about the evolution in security from hardware and point products, to an approach that increasingly relies on security DevOps. However, there is another transition that is also well underway – the shift to the cloud. The RightScale 2018 State of the Cloud Report finds that 96 percent of respondents use cloud, with public cloud adoption increasing to 92 percent from 89 percent in 2017.
I bet if you asked each of the 997 survey respondents to describe their use of the cloud you’d get 997 different answers. That’s because the move to the cloud comes in many different forms, each with its own set of implications for security teams. Here are just a few:
SaaS offerings: Services like Office 365, Google, Box, Dropbox and Salesforce are some of the most common services organizations rely on that are accessed through the cloud. Now think about the ways they are being used – accessing email and documents from an unmanaged PC, sharing data with third parties, or tracking sales and forecasting which includes sensitive customer information and credit card data. Providers of cloud services are building security into their SaaS offerings which can get you started. But do you understand their best practices for security, how well they address your use cases and if there are gaps?
Employee cloud usage: Employees are using cloud services without ever involving IT. In the case of Shadow IT, these may be legitimate tools to help them get their jobs done. Other times they are using services simply for entertainment – like the Pokémon Go craze that resulted in some employees unwittingly granting access to corporate environments and potentially exposing their organization’s sensitive data to risk. How can you know about all the cloud services in your environment and mitigate risk?
SecOps in the cloud: According to Gartner, by 2019 more than 30% of the 100 largest vendors’ new software investments will have moved to cloud-only, and this includes investments in security technologies. If you are moving secOps to the cloud, there are many ramifications. Can the service address your bandwidth and oversight requirements? Do you have the capabilities to make use of the higher volume of telemetry feeds that will be available? Is your team skilled in the programming languages these services use?
Corporate services in the cloud: Many organizations are taking advantage of the cloud to respond to business opportunities and challenges with agility – adding new services as needed and rapidly expanding capacity during periods of peak demand. If your organization is among this group, there are some important questions to ask: What infrastructure, apps, and data are moving to the public cloud and when? Will shifting to the cloud introduce gaps in our defenses and, if so, what security precautions can we take?
Whatever form your move to the cloud takes, you need the right technologies and talent in place to ensure a secure transition. Below are a few recommendations:
• Consider a Cloud Access Security Broker (CASB) which simplifies access management at scale. When a user leaves the organization or changes roles, access can be updated automatically across all cloud services through a single, easy to read pane. You can also discover and control cloud apps connected to your corporate environment so you can reduce the use of risky apps.
• With more employees connecting to cloud apps directly through the internet, a Secure Internet Gateway offers visibility into internet activity across all locations, devices, and users, and blocks threats before they ever reach your network or endpoints. By analyzing and learning from internet activity patterns, these solutions can automatically uncover attacker infrastructure staged for attacks, and proactively block requests to malicious destinations before a connection is even established.
• Firewall cloud solutions can protect cloud workloads as they expand, contract or shift location. For example, if you typically have five web servers to support e-commerce but need a sixth web server to handle the uptick in Black Friday traffic, these solutions can expand with your increased workload automatically.
• IT and security professionals with a deep understanding of cloud can be hard to find. Even with various certifications, there’s no substitute for specific knowledge of the actual service. Get to know the best practices for your cloud provider, including what kind of hardware they run, how and where they store data, how long they retain their data, the procedure for decommissioning hard drives and, if they use encryption, where they store their encryption keys.
• Your team has tremendous technical and institutional knowledge that you don’t want to lose, but they may not have other skills needed to support the transition to the cloud, such as knowledge of JSON and Python. Offer training on new tools, policies, and procedures so that existing staff can continue to operate successfully in this new environment.
• While in-house staff comes up to speed, look for additional bench strength in the form of outsourced talent that can fill the skills gap and provide advisory and implementation services. They can help ensure the transition is aligned with your business goals and that you are maximizing value, securely.
• Break the cycle of Shadow IT. As part of good security governance, architectural groups and committees should meet on a regular basis and include all key stakeholders from business, IT and security. This helps bring decision making and awareness back to a group discussion instead of a rogue set of activities.
As you shift to the cloud, remember that this is a journey and that no two journeys are alike. Opportunities, risks and technologies will continue to evolve. But with the right team working together and continuously asking the right questions, you can take full advantage of all the cloud offers, securely.